CanSecWest: Security Masters Dojo Vancouver
Advanced Binary Deobfuscation Using MetasmRegister for March 7th Course
Register for March 8th Course
Yoann Guillot, Sogeti/ESEC
Malware code gets more and more sophisticated, requiring always more powerful tools to handle.
Metasm is a framework to manipulate binary code, and it is well adapted to work on this kind of targets. The framework is full-ruby, which means you can script, automate or replace any part of it.
This course will introduce you to the basics of the framework, and will also introduce some advanced features, so that you are well armed to face binary protected code.
PREREQUISITE WARNING Each class has prerequisites for software loads and a laptop is mandatory. These individual class guides will list material the students are expected have knowledge about coming in and software tools that need to be pre-installed before attending so you get the maximum benefit from the focused intermediate or advanced level course. Please pay particular attention to the prerequisites, as the material listed there will not be reviewed in the courses, and will be necessary to get the maximum benefit out of these educational programs.
- Introduction to the framework
- General overview
- Core classes
- Hands-on/Interactive disassembly of a binary file
- Extending the disassembler through plugins
- Static binary deobfuscation, using advanced code patterns & replacement
- Reversing a virtual machine based obfuscation scheme
- disassembly of the custom PCode, using static and dynamic analysis (debugging)
Requirements- A laptop running Linux or Windows
- Students must be familiar with Ia32 assembly